API Development
Design RESTful JSON APIs with proper status codes, authentication, and error envelopes.
REST Principles
Resources map to nouns (/users, /orders). HTTP verbs express actions: GET read, POST create, PUT/PATCH update, DELETE remove. Return 201 with Location on create.
Use plural resource names consistently. Nest related resources shallowly: /orders/{id}/items.
Version APIs via URL prefix /v1 or Accept headers; document breaking changes in changelogs.
- Use pagination query params page and per_page
- Include total counts in meta for clients
- Prefer PATCH for partial updates
// GET /api/v1/products/{id}
return response()->json($product, 200);JSON and Authentication
Return application/json with consistent shapes: { data, meta, errors }. Use Laravel API resources or Fractal transformers for serialization layers.
Authenticate with Sanctum tokens, Passport OAuth, or JWT for SPAs and mobile clients. Rate limit auth endpoints aggressively.
CORS headers allow browser clients from approved origins only.
- Never leak stack traces in JSON errors production
- Rotate API keys and tokens on compromise
- Log authentication failures with correlation IDs